T-Mobile has suffered a massive data breach. His response is the first thing no business should ever do.

Over the past week, T-Mobile confirmed it was the subject of a massive data breach that exposed the personal information of at least 50 million people. This information includes first and last names, dates of birth, social security numbers and driver’s license information. This is pretty much the worst-case scenario, and the only reason we found out was that the company responded to a report from Vice motherboard.

The information primarily belongs to the people who have requested accounts with T-Mobile and provided the information for the purposes of a credit check. This means that even people who aren’t actually customers are likely to be affected if they’ve tried to open an account before.

The company’s response has been, well, disappointing. For example, I am a T-Mobile customer and have yet to receive any communication from the company regarding the violation. Does this mean that my information is safe? It’s hard to know.

However, T-Mobile is speaking to news organizations and wants it to be made very clear that “no financial information or credit or debit card information” has been compromised. It’s not particularly reassuring if someone has all the other information they would need to just open a credit card in your name.

Worse yet, it offers a huge gift to hackers who trade SIM cards. If you are unfamiliar with SIM swapping, this is where someone is able to convince a phone operator that they are someone else and that person’s phone number goes through. under its control.

It might seem like a strange hack until you realize that most of the things that we prefer to prevent a hacker from are protected by two-factor authentication (2FA), which in most cases involves sending messages. ‘a text message on your mobile phone. . This means that if a hacker has access to your phone number, they have access to much of your information, including – in many cases – your online bank accounts.

This is all bad, but let’s get back to the part where T-Mobile isn’t doing much to educate customers yet. Because, if you’ve put the personal information of more than 50 million people at risk, your first job is to help them protect themselves.

T-Mobile posted a blog post with information for affected customers, but did not, as far as I know, contact customers directly apart from a text message saying:

T-Mobile has determined that unauthorized access to some of your information, or others on your account, has occurred, such as name, address, phone number and date of birth. It is important to note that we have NO information to indicate that your SSN, personal financial or payment information, credit / debit card information, account numbers or passwords have been accessed. We take the protection of our customers seriously. Learn more about the practices that keep your account safe and general recommendations to protect yourself: t-mo.co/Protect

The problem is, this post sounds like a gross understatement of what really happened. Just because you have “no information” that a specific client’s SSN has been compromised, in this case it is probably good practice to assume that it has and act on it. Additionally, not all of T-Mobile’s customers have received an SMS notification, which has left them wondering whether or not they’ve been affected.

In fact, I think you can safely say that T-Mobile’s response manages to do something that seems almost unthinkable – it makes the company look worse than the hacker who took the information in the first place. This is because the people who hack into company systems and steal information are criminals. We know this and we expect them to do bad things.

As for the companies to which we give our information, we expect them to protect this data. It is not unreasonable. It is also not unreasonable to expect that if someone steals our information, these companies must be direct and transparent about what happened, what they are doing about it, and what actions they are taking. we need to take. If you can’t protect our information, at least tell us what we need to do to protect ourselves.

T-Mobile’s blog post says all the right words. For example, he explains that the company “is relentlessly focused on taking care of our customers – that has not changed. We have worked tirelessly to deal with this event and continue to protect you, which includes to take immediate action to protect anyone who may be at risk. “

Except if you relentlessly focus on caring for your customers, communication is pretty important. This is true all the time, but especially when their personal information is at risk.

If you want to protect your personal information, first log into your T-Mobile account and change your password to a secure one. Even though usernames and passwords have not been stolen, T-Mobile allows users to access their accounts with their phone numbers. If a hacker has your phone number, I’ve already explained why that’s bad news.

Then put a freeze on your credit reports. The three major credit bureaus allow you to lock your reports so that if someone tries to open credit on your behalf, they will be blocked and you will be notified. T-Mobile also says it offers its users two years of identity protection from McAfee, which serves a similar purpose.

Finally, T-Mobile offers an “Account Takeover Protection” service that you can add to your account for free. This prevents someone from transferring your phone number to another operator without your permission.